Internet Crime Complaint Center's (IC3)

Scam Alerts

October 23, 2012

This report, which is based upon information from law enforcement and complaints submitted to the IC3, details recent cyber crime trends and new twists to previously-existing cyber scams.

DATING EXTORTION SCAM

The IC3 has recently received reports regarding a scam that baits individuals into intimate online conversations and then extorting them for financial gain. The scam was initiated after the victims met someone online, such as on a dating site, and were asked to connect via a specific online social network. Shortly after, the conversations became sexual in nature. Later, victims received text messages, either containing their names, asking if it was them or containing a statement that indicated their names were posted on a particular website. The victims were provided a link to a page on the website that claimed they were a “cheater.” Photos of the victims and their telephone numbers were also posted. There was an option to view and buy the posted conversations for $9. Victims were also given the option to have their names and conversations removed for $99. Some were even told that once the payment was made, the information would be removed within an hour and the website would not allow anyone to post anything pertaining to the victims’ names again. However, reports do not indicate that the information was ever removed.

PAYDAY LOAN SCAMS

The IC3 has received thousands of complaints regarding pay day loan scams over the last three years and continues to see new variations of the scam. The scam involves victims who are relentlessly contacted, via the telephone, at their residences and places of employment. The subjects claim the victims are delinquent on a payday loan and must repay the loan to avoid legal consequences. The subjects use coercion techniques such as harassment, threats, and claims that they were representatives of government agencies and law firms. Only some of the victims have reported previously applying for a payday loan, others said they have never made such an application.

The subjects seem to have accurate information on the victims, including social security numbers, dates of birth, addresses, employer information, bank account numbers, names and telephone numbers of relatives and friends.

The subjects refuse to provide any details of the alleged payday loans and become abusive when questioned. Victims are threatened with legal actions, arrests and, in some cases, physical violence if they refuse to pay. Some have been told there was an outstanding warrant for their arrest. Many reported that subjects have also harassed their relatives, friends, and employers. In a couple of instances, the subjects came to the victims’ places of employment and residences claiming to be process servers.

Over the last couple of months, the scam has evolved from just receiving telephone calls to also receiving official-looking emails purportedly from the United States Attorney. The emails reference the FBI, court proceedings, and serious allegations. Allegations include violation of federal banking regulations such as collateral check fraud, theft by deception, and fraudulently conducting electronic fund transfers. Recipients were instructed to contact the subject within 48 hours of receiving the email.

NEW TDSS/TDL4 MALWARE INFECTS 46 OF FORTUNE 500

A new iteration of TDSS/TDL4 malware has infected at least 250,000 victims, including 46 companies in the Fortune 500, researchers said Monday.

According to a new report on the TDSS/TDL4 malware published by security firm Damballa, the new attack is using domain generation algorithm (DGA)-based communication for command-and-control (C&C).

Used by Murofet, Sinowal and the recent Mac-based Flashback malware, DGA communications techniques are being used to successfully evade detection by blacklists, signature filters and static reputation systems, and to hide C&C infrastructure, Damballa reported.

TDSS/TDL4 is malware known to infect the master boot record (MBR) of computers, making it resistant to common practices in remediation. It has been described as the "indestructible" botnet, with the ability to act as a launch pad for other malware. At one point it was reported as having infected over 4.5 million victims.

A total of 85 hosting servers and 418 unique domains were identified as being related to the new TDSS/TDL4 threat, Damballa said. The top three hosting countries for the C&C servers are Russia (26 hosts), Romania (15 hosts) and the Netherlands (12 hosts).

"With its known ability to act as a launch pad for other malware and TDSS' history of sub-leasing access to their victims, these hidden infections in corporate networks go undetected for long periods of time," Antonakakis said.

Net-Security.org posted the following article on September 25, 2012:

TOP WORDS CYBER CRIMINALS USE IN FAKE EMAILS

The top words cybercriminals use create a sense of urgency, to trick unsuspecting recipients into downloading malicious files. The top word category used to evade traditional IT security defenses in email-based attacks relates to express shipping, according to FireEye.

Urgent terms such as "notification" and "alert" are included in about 10 percent of attacks. An example of a malicious attachment is "UPS-Delivery-Confirmation-Alert_April-2012.zip."

"Cybercriminals continue to evolve and refine their attack tactics to evade detection and use techniques that work. Spear phishing emails are on the rise because they work," said Ashar Aziz, founder and CEO, FireEye. "Signature-based detection is ineffective against these constantly changing advanced attacks, so IT security departments need to add a layer of advanced threat protection to their security defenses."

Cybercriminals also tend to use finance-related words, such as the names of financial institutions and an associated transaction such as "Lloyds TSB - Login Form.html," and tax-related words, such as "Tax_Refund.zip." Travel and billing words including "American Airlines Ticket" and "invoice" are also popular spear phishing email attachment key words.

Spear phishing emails are particularly effective as cybercriminals often use information from social networking sites to personalize emails and make them look mostly authentic. When unsuspecting users respond, they may inadvertently download malicious files or click on malicious links in the email, allowing criminal access to corporate networks and the potential exfiltration of intellectual property, customer information, and other valuable corporate assets.

FireEye highlights that cybercriminals primarily use zip files in order to hide malicious code, but also ranks additional file types, including PDFs and executable files.